roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (Jira)" <j...@apache.org>
Subject [jira] [Work logged] (ROL-2150) Fix Js security vulnerabilities detected using retire js
Date Fri, 11 Oct 2019 16:26:00 GMT

     [ https://issues.apache.org/jira/browse/ROL-2150?focusedWorklogId=326978&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-326978
]

ASF GitHub Bot logged work on ROL-2150:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Oct/19 16:25
            Start Date: 11/Oct/19 16:25
    Worklog Time Spent: 10m 
      Work Description: adityasharma7 commented on pull request #37: Upgrade jQuery to 3.4.1
 ROL-2150
URL: https://github.com/apache/roller/pull/37
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 326978)
    Time Spent: 1h 50m  (was: 1h 40m)

> Fix Js security vulnerabilities detected using retire js
> --------------------------------------------------------
>
>                 Key: ROL-2150
>                 URL: https://issues.apache.org/jira/browse/ROL-2150
>             Project: Apache Roller
>          Issue Type: Bug
>          Components: User Interface - General
>    Affects Versions: 5.2.4
>            Reporter: Aditya Sharma
>            Assignee: Aditya Sharma
>            Priority: Major
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> {code:java}
> /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-dialog 1.11.0
> jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: CVE-2016-7103,
bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281
https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
> /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-autocomplete 1.11.0
> /roller/app/target/roller/roller-ui/scripts/jquery-2.1.1.min.js
>  ↳ jquery 2.1.1
> jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-dialog 1.11.0
> jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: CVE-2016-7103,
bug: 281, summary: XSS Vulnerability on closeText option; https://github.com/jquery/api.jqueryui.com/issues/281
https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://snyk.io/vuln/npm:jquery-ui:20160721
> /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-autocomplete 1.11.0
> /roller/app/src/main/webapp/roller-ui/scripts/jquery-2.1.1.min.js
>  ↳ jquery 2.1.1
> jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/themes/gaurav/js/jquery.js
>  ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/test-classes/themes/gaurav/js/jquery.js
>  ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/src/main/webapp/themes/gaurav/js/jquery.js
>  ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-1.12.4.js
>  ↳ jquery 1.12.4
> jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd
party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-2.2.4.js
>  ↳ jquery 2.2.4
> jquery 2.2.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party
CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-3.3.1.js
>  ↳ jquery 3.3.1
> jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary:
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,
{}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/unsupported_plugins/ImageManager/smart-image.js
>  ↳ swfobject 2.0
> swfobject 2.0 has known vulnerabilities: severity: medium; summary: DOM-based XSS; https://github.com/swfobject/swfobject/wiki/SWFObject-Release-Notes#swfobject-v21-beta7-june-6th-2008{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message